Archives

Pages

Search

Tag: Linux

If you have Windows running in a virtual machine (VM), you may find yourself wanting to reduce the overall disk-footprint of the VM’s virtual disk on your host.

For example: because I had created my Windows VM by copying a raw disk in it’s entirety, I had a 120GB VM raw image (.img) file for a Windows installation that was only taking up about 20GB of actual space.

It took a bit of research for me to piece together all of the steps required to reduce my 120GB image down to a reasonable size. Here’s the steps I took.

Assumptions

You’re using KVM as your hypervisor. There may be some tips in here that are useful for other VMs, but I’m assuming you’re using KVM.

Your .img file is in a raw image file format. There may be some tips in here if you’re trying to shrink a qcow2 image file, but you should probably not follow this verbatim.

This process is risky – be careful and don’t blame me if things go amiss. And make backups before you start.

You are okay deleting the “recovery partition” on your Windows VM image. This process will most certainly delete the recovery partition (if it exists). For most people, this isn’t a big deal… if you need to recover Windows, there are other ways to do it and the partition was just wasting space.

Reduce the size of your Windows partition

This turns out to be more involved than you’d think. That’s mainly because there are several steps to take to enable Windows to pack all of your data into one end of the disk partition so it’s size can be reduced.

These steps are useful if you’ve ever encountered the “You cannot shrink a volume beyond the point where any unmovable files are located” error when trying to shrink a partition in Windows.

For step 4 (Defrag your ‘hard disk’), this turned out to be a tricky step with a very simple answer. Most folks will point you to the Windows UI to “Optimize” your disk. However, if Windows thinks your C: drive is an SSD it (correctly) won’t do a defrag on it.

To get around that, simply run defrag from an elevated / admin command prompt!

defrag C: /U /V

Consider running defrag twice – once as above, and once again with the /X option is to consolidate free space.

Shrink your Windows partition

Launch the Windows Disk Management console (Protip: you can get to it by right clicking in the lower left hand corner of your screen and selecting “Disk Management”)

Right click on the main partition of your C drive.

Select Shrink Volume

After some thinking, you should be able to set the size of the disk as small as you’d like. Make your selection and click “Shrink”

Make note of the final size of the of all the partitions on the disk – you’ll need that number for when you go to reduce the .img size in the next step. It’s safer to round-up than down!

Shutdown your Windows VM

You’ll want to shut down Windows now. You don’t want it running when you’re cutting down the .img file size.

Shrink the image (.img) file

This is where the magic happens… and it’s not that complicated.

Locate your .img file. In my case, I’m running unRAID, so my VM images are all in /usr/mnt/domains by default.

Make a copy of your VM’s .img file. You’ll want it in case this screws up.

cp ./vdisk.img ./backup_vdisk.img

Shrink the image to the size you want it to be. Remember, this has to be bigger than the total size of the Windows partitions on the disk. So, if there’s a 1GB partition and a 30GB partition, it’s probably safe to shrink the image down to 32GB to be safe.

Expand the size of your Windows partition

If you rounded up when shrinking your .img file, you probably have some extra unallocated space a the end of your Windows partition. To make use of it:

Launch the Disk Management console

Right click on your Windows partition

Select Extend Volume and follow the dialog to increase the space of the partition

Consider converting from raw .img to qcow2

There are pros and cons to each format; some of the pros of qcow2 are the ability to snapshot the VM and sparse allocation (which can further save space). However raw can be faster. I’m sticking with raw for now.

Because I was turning my Windows 10 Pro server into an Linux (unRAID) machine I already had a Windows installation running on the bare metal that I had spent a fair bit of time setting up. I didn’t want to lose that installation and the work put into it. So, rather than starting over with a fresh Windows installation I took the operating system that was already installed, copied it, and started running it as a virtual machine (VM). Here are the steps I took to convert that Windows installation into a functioning VM.

They’re also useful for anyone running KVM as a hypervisor – not just specific to unRAID.

Before you begin

Makes sure you have access to your Windows license. If you upgraded from Windows 7 or 8 to Windows 10 for free this is really important. If you haven’t already, follow the steps here in “Before you shutdown Windows”.

Your hardware must be capable of processor virtualization (Intel VT-x or AMD-V), and it must be enabled in your BIOS. Depending on what you plan to do with your VM, you may need to meet other hardware requirements.

unRAID must have VMs enabled and configured. An important step here is to download the VirtIO Drivers ISO

unRAID needs to have User Shares created to hold the virtual machine images; by default, these are created for you by a new installation at /mnt/user/domains/

Check to make sure that your User Share (above) has enough room for the full size of your Windows Operating System hard drive. You’re going to copy the entire hard drive including the empty space.

By default, most of these things were done already on my machine, but it’s good to check them before proceeding.

Add a new Virtual Machine

On the VMs tab, click the Windows 10 template (or template for your version of Windows).

Click on the switch for the Basic View to toggle it to the Advanced View (in the upper-right corner of the screen) if it isn’t already set.

Configure the VM with the following settings:

Name your VM whatever you wish: For this example, I’m using “Windows 10”

CPU Mode: Host Passthrough

Logical CPUs: However many you wish (at least one)

Initial Memory / Max Memory: at least 2GB is recommended

Machine: i440fx-* (whatever the newest is)

BIOS: SeaBIOS

Hyper-V: Yes

OS Install ISO: Leave empty

VirtIO Drivers ISO: Select the virtio-win*.iso that (should have been) downloaded as part of enabling VMs on unRAID.

VirtIO Drivers CDRom Bus: IDE

Primary vDisk Location: Auto

Primary vDisk Bus: IDE

Primary vDisk Type: raw

Primary vDisk Size: 0G (You’ll be overwriting this file in the next step)

Graphics Card: VNC

VNC Video Driver: QXL

VNC Password: Set it if you’d like – this is how you’ll access the ‘screen’ of the running VM

VNC Keyboard: Set to the right language for your OS

Sound Card: None (or select one if your device supports passthrough)

Network MAC: this is set randomly, though you can change it.

Network Bridge: br0

USB Devices: I recommend leaving all unchecked for now.

USB Mode: 2.0 (EHCI) is what I found worked for me.

Other PCI Devices: I recommend leaving all unassigned until you confirm the VM launches correctly.

Uncheck Start VM after creation

Hit Create.

Copy the OS Drive to an image

Next up, you need to copy the data from your OS drive to an virtual disk image that the VM can boot off of.

Identify the disk that contains your Windows Operating System. You can find it by looking in the unRAID web UI in the Main tab under Unassigned Devices. Look for the drive that you booted windows off of before you installed unRAID. Make note of the disk id (e.g. sdb, sdc, sde, etc.)

SSH into your unRAID system as root. By default unRAID doesn’t have a root password, but you should have set a strong one by now… right?

Replace Windows\ 10 with the name you gave your Virtual Machine (if you need to see what it is run the ls /mnt/user/domains command to see what it’s name is on disk)

Wait. It’ll take a while, assuming you have a reasonably large OS installation disk.

Start your Windows VM & Install the VirtIO Drivers

Because Windows is now running as a Virtual Machine on KVM, it will think there is new “hardware” and will require (and benefit from) having the right drivers installed.

In the unRAID VMs tab, click on your newly created VM and click Start

After the VM has started, you can VNC into the machine and interact with it. You can do this one of two ways.

Click on the running Windows VM and select “VNC Remote”

(Preferred) Install a VNC client like TightVNC and connect to the VM directly. To do so, you’ll need to know the IP address of your server and connect to the VNC port of the VM (which is listed next to the running VM)

Right click on the .inf file (i.e. balloon.inf) and click install. (You may need to enable the viewing of file extensions to find the right file)

Repeat the above process for each of the following folders

NetKVM

vioserial

viostor

You may want to check Windows Device Manager to make sure there are no devices which have yellow warning exclamations next to them – if so, you’ll likely need to install an additional driver.

When done with the driver installation, navigate to the guest-agent folder and double click on qemu-ga-x64.msi to install the QEMU/KVM guest agent.

Shutdown the VM & update disk settings

Now that you know that the VM boots and you’ve got the drivers installed, you can stop the VM and update the physical disk to use the VirtIO bus which will give you better performance.

Stop the Windows VM. You can do this one of two ways – one, by initiating a Shutdown from within Windows. Or, you can click on the VM image in unRAID and select Stop which will also gracefully shut down Windows.

In the unRAID web UI, in the VMs tab, select the Windows VM and select Edit

Change the following settings:

Primary vDisk Bus: VirtIO

VertIO Drivers ISO: delete the entry

Restart the VM and make sure it’s operating correctly.

Reactivate your Windows license

Windows checks it’s license validity based on your machine’s hardware. Any time you change the hardware, Windows needs you to reactivate your license. You’ll need to run through the activation steps in the VM to re-activate your Windows license because Windows will think you just changed a lot of hardware.

To do that, search for “Activation” from the Windows 10 Start menu. From there, you should be able to follow the prompts to activate your copy of Windows. Somewhere along the way, in smallish font, it’ll ask you if you recently changed hardware. Click that option and go from there – i.e. log into your Microsoft Account, select the machine/license associated with this Windows installation.

(Optional) Remove Unneeded Software & Drivers

Because your old Windows machine had a lot of device specific drivers installed on it to operate on your hardware, you may have a lot of cruft that can now be removed. Log into your Windows machine and take a stroll through the “Add or Remove Programs” menu to see if there’s anything that can be removed. For me, I could uninstall any Intel and RealTek Drivers, ASUS motherboard features, etc. that were no longer relevant. It’s a nice thing to slim up the now VM’d Windows OS.

(Optional) Optimize the Window VM

(Optional) Reduce / Shrink the size of the VM image

Now, you’re probably saying to yourself… geez, I don’t need a XXX GB image file that just happened to be the size of your old OS hard drive just to run Windows. You probably want to slim that down. Here’s instructions on exactly how to do that.

By default, unRAID has a few pretty big security vulnerabilities which should be addressed immediately after installation.

My take is that unRAID is secure enough to operate within my home network behind a firewall, not exposed to the internet. Adding the steps here will make it more secure to protect against the unlikely, yet unfortunate possibility that someone nefarious gains access to your home network.

Here’s my list of steps taken to secure my unRAID install. If folks have more that I’m missing, I’d love to add them here!

Add password for root

It’s really bad that unRAID doesn’t force you to set a root user password as part of the installation. There’s really no excuse for this type ‘insecure by default’ philosophy when it’s so easy to fix.

So, to fix it yourself, go to the web UI and navigate to Users > Select ‘root’ > Add a Password.

It will take all of 30 seconds to do it.

Create users that aren’t root

It’s always a good idea to do as little as possible as the root account on a Linux system. While you’re on the Users screen, go ahead and make users for yourself and others you want to have access to shares. The only thing these users can do is access shares.

Restrict access to your shares

If you don’t have to expose a share via SMB, don’t! Just turn them off.

If you don’t have to give people write access, make them read only.

I prefer to set my shares that are available via SMB to “Private” for the Security level which gives guests no access, and then set the proper access control for each user in the house. To make the changes, just go through each share under the Shares tab and set your SMB Security Settings and User Access however you see fit.

Disable access to the /flash share

For some crazy reason, the USB drive that hosts the operating system is shared by default as /flash. I don’t remember if the default permissions on it are “Private” or not, but I think it’s a good idea to just not have it shared at all.

This one is trickier to find, however, because it’s not listed under the Shares tab. To find the controls, go to the Main tab, and click on the Flash drive link.

Go to Settings > SMB (Under Network Services). Under the SMB Extras add the following line text:

#disable SMB1 for security reasons
[global]
min protocol = SMB2

Disable Telnet & FTP access

unRAID comes with Telnet and FTP enabled by default. That’s really pretty silly this day and age. If you want to access a command prompt, you should use ssh. If you want to transfer files, use anything but FTP.

The easiest way to disable them both is to leverage the Tips & Tweaks plugin.

Install the Tips and Tweaks plugin by going to Plugins > Install Plugin and using the following URL:

Ransomware protection

I honestly don’t know if this plugin would help in the event of a ransomware attack, but I think the principle is sound and it’s a pretty low hassle way to add some protection. The recent WannaCry ransomware attack highlighted the need for some additional consideration for me.

The general idea is to create a honeypot of files and shared folders that, if modified, immediately trigger unRAID to go into read-only mode (and/or disable access to all shares). If someone tries to encrypt and delete your files, unRAID would simply cut off access. This is particularly useful since these shares can be accessed by all of your users on potentially vulnerable machines… so if one of their machines gets infected with randsomware, and it tries to access your unRAID shares (because those machines likely have the share passwords cached), unRAID can stop the attack from being completely successful.

Setup email notifications

This one is important so that you can be notified by the various plugins and unRAID itself about the condition of the server. This isn’t just about security, obviously, but also about the general health of the system.

For example, you’ll be notified about plugin and server updates which are available, hard drives that are too hot, errors that crop up, etc.

You can find the settings under the Settings tab > Notification Settings

Keep your server up to date

unRAID itself and all of the plugins are easy to update – just go to the Plugins tab and click the “Check for Updates” button. Then go through and update each plugin – including the unRAID OS itself.

If you run any Docker containers, unRAID will let you know if they have updates available as well on your dashboard (they’ll be a different color). For any VM you run, make sure to check for updates on them regularly as well.

Further Reading

There’s a good thread on the Lime Technologies forum – Is unRAID really unsecure? I would recommend reading that as well – there are some good pointers there about other basics not covered here, like making sure to keep your system up to date, maintaining good backups, etc.

My take is that unRAID is secure enough to operate within my home network behind a firewall, not exposed to the internet. Adding the steps above make it even more secure to protect against the unlikely, yet unfortunate possibility that someone nefarious gains access to your home network.